I run a website which uses usernames/passwords to be able to get to the members areas. Right now, when a new user signs up, they fill in a form and all their information is saved to a straight text file in a protected directory. I am about to create a page so that a user may retrieve a lost password.

I have been reading some of the posts in this thread and most everyone is using some sort of password encryption. I am not and was wondering what the consequences are. Keep in mind that the text files are in a protected directory. The reason I avoided the password encryption was because I wanted to be able to automate the lost password retrieval and did not know how to decrypt the encrypted passwords.

Unless you are using a custom encryption algorithm, it is pretty much imposible to decrypt anything encrypted with the standard unix crypt() function. What I suggest doing is to go ahead and encrypt the password. When a user loses his/her password, you can reset it to a temporary random string and send it to the user via email. Once the user is logged in, they may change it to whatever they want.

(also pm'd you this message by accident...) --Philip FuzzyLogic at PerlMad dot com